mustflow 2.38.0 → 2.58.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -0
- package/dist/cli/commands/run/executor.js +16 -0
- package/dist/cli/commands/run/process-tree.js +6 -3
- package/dist/cli/commands/verify.js +3 -1
- package/dist/cli/lib/git-changes.js +11 -1
- package/dist/cli/lib/i18n.js +1 -1
- package/dist/cli/lib/local-index/index.js +8 -4
- package/dist/cli/lib/local-index/populate.js +17 -3
- package/dist/cli/lib/local-index/search-read-model.js +9 -7
- package/dist/cli/lib/local-index/search-text.js +2 -2
- package/dist/cli/lib/local-index/workflow-documents.js +17 -2
- package/dist/cli/lib/mustflow-read.js +14 -2
- package/dist/cli/lib/repo-map.js +16 -3
- package/dist/cli/lib/templates.js +8 -7
- package/dist/cli/lib/validation/constants.js +1 -1
- package/dist/core/active-run-locks.js +78 -20
- package/dist/core/change-classification.js +4 -0
- package/dist/core/command-contract-rules.js +1 -1
- package/dist/core/command-contract-validation.js +1 -1
- package/dist/core/command-cwd.js +13 -2
- package/dist/core/command-effects.js +22 -4
- package/dist/core/command-env.js +8 -6
- package/dist/core/command-preconditions.js +28 -2
- package/dist/core/completion-verdict.js +1 -1
- package/dist/core/line-endings.js +8 -4
- package/dist/core/safe-filesystem.js +9 -1
- package/dist/core/source-anchor-validation.js +7 -1
- package/dist/core/source-anchors.js +8 -2
- package/dist/core/verification-scheduler.js +8 -2
- package/package.json +1 -1
- package/templates/default/common/.mustflow/config/commands.toml +39 -15
- package/templates/default/i18n.toml +330 -1
- package/templates/default/locales/en/.mustflow/skills/INDEX.md +302 -5
- package/templates/default/locales/en/.mustflow/skills/agent-eval-integrity-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/agent-execution-control-review/SKILL.md +163 -0
- package/templates/default/locales/en/.mustflow/skills/ai-generated-code-hardening/SKILL.md +49 -13
- package/templates/default/locales/en/.mustflow/skills/api-access-control-review/SKILL.md +298 -0
- package/templates/default/locales/en/.mustflow/skills/api-misuse-resistance-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/api-request-performance-review/SKILL.md +189 -0
- package/templates/default/locales/en/.mustflow/skills/app-startup-performance-review/SKILL.md +309 -0
- package/templates/default/locales/en/.mustflow/skills/backend-log-evidence-review/SKILL.md +213 -0
- package/templates/default/locales/en/.mustflow/skills/business-rule-leakage-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/cache-integrity-review/SKILL.md +291 -0
- package/templates/default/locales/en/.mustflow/skills/change-blast-radius-review/SKILL.md +297 -0
- package/templates/default/locales/en/.mustflow/skills/client-bundle-pruning-review/SKILL.md +160 -0
- package/templates/default/locales/en/.mustflow/skills/cloud-cost-guardrail-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/concurrency-invariant-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/core-web-vitals-field-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/credit-ledger-integrity-review/SKILL.md +156 -0
- package/templates/default/locales/en/.mustflow/skills/database-json-modeling-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/database-lock-contention-review/SKILL.md +192 -0
- package/templates/default/locales/en/.mustflow/skills/database-migration-change/SKILL.md +76 -34
- package/templates/default/locales/en/.mustflow/skills/database-query-bottleneck-review/SKILL.md +194 -0
- package/templates/default/locales/en/.mustflow/skills/deletion-lifecycle-review/SKILL.md +171 -0
- package/templates/default/locales/en/.mustflow/skills/deployment-rollout-safety-review/SKILL.md +321 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-auto-update-safety-review/SKILL.md +265 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-background-process-stability-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/desktop-memory-footprint-review/SKILL.md +318 -0
- package/templates/default/locales/en/.mustflow/skills/error-message-integrity-review/SKILL.md +283 -0
- package/templates/default/locales/en/.mustflow/skills/failure-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/file-upload-security-review/SKILL.md +305 -0
- package/templates/default/locales/en/.mustflow/skills/frame-render-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-accessibility-tree-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-localization-review/SKILL.md +202 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-state-ownership-review/SKILL.md +183 -0
- package/templates/default/locales/en/.mustflow/skills/frontend-stress-layout-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/hot-path-performance-review/SKILL.md +159 -0
- package/templates/default/locales/en/.mustflow/skills/idempotency-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/image-delivery-performance-review/SKILL.md +161 -0
- package/templates/default/locales/en/.mustflow/skills/incident-triage-review/SKILL.md +185 -0
- package/templates/default/locales/en/.mustflow/skills/llm-hallucination-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-response-latency-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/llm-service-ux-review/SKILL.md +2 -0
- package/templates/default/locales/en/.mustflow/skills/llm-token-cost-control-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/low-end-device-support-review/SKILL.md +340 -0
- package/templates/default/locales/en/.mustflow/skills/memory-lifetime-review/SKILL.md +169 -0
- package/templates/default/locales/en/.mustflow/skills/mobile-energy-efficiency-review/SKILL.md +329 -0
- package/templates/default/locales/en/.mustflow/skills/module-boundary-review/SKILL.md +278 -0
- package/templates/default/locales/en/.mustflow/skills/multi-agent-work-coordination/SKILL.md +1 -0
- package/templates/default/locales/en/.mustflow/skills/observability-debuggability-review/SKILL.md +208 -0
- package/templates/default/locales/en/.mustflow/skills/payment-integrity-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/prompt-contract-quality-review/SKILL.md +158 -0
- package/templates/default/locales/en/.mustflow/skills/quadratic-scan-review/SKILL.md +155 -0
- package/templates/default/locales/en/.mustflow/skills/queue-processing-integrity-review/SKILL.md +193 -0
- package/templates/default/locales/en/.mustflow/skills/race-condition-review/SKILL.md +188 -0
- package/templates/default/locales/en/.mustflow/skills/rate-limit-integrity-review/SKILL.md +344 -0
- package/templates/default/locales/en/.mustflow/skills/retry-policy-integrity-review/SKILL.md +195 -0
- package/templates/default/locales/en/.mustflow/skills/routes.toml +330 -0
- package/templates/default/locales/en/.mustflow/skills/security-flow-review/SKILL.md +279 -0
- package/templates/default/locales/en/.mustflow/skills/testability-boundary-review/SKILL.md +295 -0
- package/templates/default/locales/en/.mustflow/skills/transaction-boundary-integrity-review/SKILL.md +196 -0
- package/templates/default/locales/en/.mustflow/skills/type-state-modeling-review/SKILL.md +179 -0
- package/templates/default/locales/en/.mustflow/skills/web-render-performance-review/SKILL.md +164 -0
- package/templates/default/manifest.toml +388 -2
|
@@ -0,0 +1,291 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.cache-integrity-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: cache-integrity-review
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and cache behavior can spread stale, wrong, private, overbroad, tenant-crossing, permission-wrong, version-incompatible, or source-overloading values through cache keys, query normalization, key versions, TTL and jitter, soft and hard TTL, stale-while-revalidate, stampede protection, request coalescing, negative caching, invalidation order, list or page caches, tag invalidation, L1/L2 cache layers, Redis fallback, hit/miss observability, value size, eviction policy, TTL-less keys, KEYS/SCAN use, hot keys, Redis Cluster hash tags, HTTP Vary/no-cache/no-store semantics, permission caches, cache warming, or failure-path cache tests.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.cache-integrity-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- docs_validate_fast
|
|
23
|
+
- test_release
|
|
24
|
+
- mustflow_check
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Cache Integrity Review
|
|
28
|
+
|
|
29
|
+
<!-- mustflow-section: purpose -->
|
|
30
|
+
## Purpose
|
|
31
|
+
|
|
32
|
+
Review cache changes as truth and failure-boundary changes, not only as speed changes.
|
|
33
|
+
|
|
34
|
+
A cache is a second truth store. The review question is not only "did the second request get faster?"
|
|
35
|
+
It is "which value can be wrong, who can see it, how long can it survive, how quietly can it spread,
|
|
36
|
+
and what happens to the source system when the cache misses or fails?"
|
|
37
|
+
|
|
38
|
+
<!-- mustflow-section: use-when -->
|
|
39
|
+
## Use When
|
|
40
|
+
|
|
41
|
+
- Code creates, changes, reviews, or reports cache keys, cache reads, cache writes, cache invalidation,
|
|
42
|
+
cache TTLs, Redis or Memcached use, local in-memory caches, CDN or HTTP cache headers, cache tags,
|
|
43
|
+
cache warming, cache fallback, negative caching, stale-while-revalidate, request coalescing, or
|
|
44
|
+
cache observability.
|
|
45
|
+
- A route, worker, query, permission check, feature flag, entitlement, inventory value, search result,
|
|
46
|
+
listing, feed, recommendation, API response, rendered page, generated artifact, or provider response
|
|
47
|
+
is cached.
|
|
48
|
+
- Cache behavior can vary by tenant, actor, login state, membership tier, country, language, locale,
|
|
49
|
+
A/B test, feature flag, adult verification, inventory policy, authorization, subscription, or
|
|
50
|
+
request headers.
|
|
51
|
+
- A review or final report claims that caching is safe, fast, resilient, correct, isolated, warmed,
|
|
52
|
+
invalidated, observable, or harmless under deploy, rollback, source failure, Redis failure, or
|
|
53
|
+
concurrent updates.
|
|
54
|
+
|
|
55
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
56
|
+
## Do Not Use When
|
|
57
|
+
|
|
58
|
+
- The only concern is ordinary repeated work with no stale data, authority, invalidation, permission,
|
|
59
|
+
tenant, source-protection, or cache-failure risk; use `hot-path-performance-review`.
|
|
60
|
+
- The only concern is object lifetime, cache size, eviction cleanup, or retained memory without data
|
|
61
|
+
correctness or source-protection risk; use `memory-lifetime-review`.
|
|
62
|
+
- The only concern is HTTP streaming, compression, proxy buffering, or delivery transport behavior;
|
|
63
|
+
use `http-delivery-streaming` first and this skill only for cache reuse correctness.
|
|
64
|
+
- The task is a broad performance budget, profiling, benchmark, or load-test design; use
|
|
65
|
+
`performance-budget-check` first and this skill for cache integrity boundaries.
|
|
66
|
+
|
|
67
|
+
<!-- mustflow-section: required-inputs -->
|
|
68
|
+
## Required Inputs
|
|
69
|
+
|
|
70
|
+
- Cache surface: local memory, process L1, external L2, Redis, Memcached, CDN, browser cache, HTTP
|
|
71
|
+
cache, ORM query cache, generated state, read model, or framework cache.
|
|
72
|
+
- Source of truth: database, provider, file, auth service, entitlement system, inventory source,
|
|
73
|
+
canonical event stream, generated artifact, or other owner.
|
|
74
|
+
- Cached value shape: detail item, list, page, search result, permission decision, session, rate
|
|
75
|
+
limit, inventory, feature flag, API response, rendered HTML, or derived aggregate.
|
|
76
|
+
- Key dimensions: tenant, actor, viewer context, login state, membership tier, country, language,
|
|
77
|
+
locale, A/B test, feature flag, adult verification, inventory policy, authorization state, headers,
|
|
78
|
+
query parameters, schema version, and value version.
|
|
79
|
+
- Freshness contract: change frequency, stale tolerance, soft TTL, hard TTL, invalidation trigger,
|
|
80
|
+
source protection need, and deploy or rollback compatibility.
|
|
81
|
+
- Failure and concurrency contract: miss behavior, concurrent miss behavior, source timeout, Redis
|
|
82
|
+
failure, source failure, negative cache policy, update race behavior, invalidation ordering, and
|
|
83
|
+
stale serve policy.
|
|
84
|
+
- Observability evidence: hit and miss metrics, miss cost, value size, key count, eviction, expiry,
|
|
85
|
+
tenant or endpoint breakdown, status-code breakdown, source query time, source call count, and set
|
|
86
|
+
success.
|
|
87
|
+
- Relevant command-intent contract entries for tests, builds, docs, release checks, and mustflow
|
|
88
|
+
validation.
|
|
89
|
+
|
|
90
|
+
<!-- mustflow-section: preconditions -->
|
|
91
|
+
## Preconditions
|
|
92
|
+
|
|
93
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
94
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the current
|
|
95
|
+
scope.
|
|
96
|
+
- Required inputs are available, or missing cache authority, key, TTL, invalidation, fallback,
|
|
97
|
+
observability, or test evidence can be reported without guessing.
|
|
98
|
+
- If cache behavior affects authentication, authorization, personal data, tenant separation, sessions,
|
|
99
|
+
entitlement, payment, inventory, or admin operations, also use the relevant security, auth, backend,
|
|
100
|
+
database, or failure-integrity skill.
|
|
101
|
+
|
|
102
|
+
<!-- mustflow-section: allowed-edits -->
|
|
103
|
+
## Allowed Edits
|
|
104
|
+
|
|
105
|
+
- Add or tighten cache key construction, query normalization, key versioning, TTL and jitter,
|
|
106
|
+
soft/hard TTL handling, stale-while-revalidate, request coalescing, singleflight, bounded fallback,
|
|
107
|
+
load shedding, negative-cache policy, invalidation ordering, version checks, tag invalidation,
|
|
108
|
+
cache warming, cache observability, and focused tests tied to the changed cache surface.
|
|
109
|
+
- Split cache policy by success, not-found, permission-denied, temporary failure, stale value, and
|
|
110
|
+
unknown outcome when those outcomes need different behavior.
|
|
111
|
+
- Add tests for tenant separation, permission changes, stale value bounds, concurrent misses, source
|
|
112
|
+
failures, Redis failures, synchronized expiry, old-version cached values, update races, delete and
|
|
113
|
+
recreate flows, and deploy rollback when feasible.
|
|
114
|
+
- Do not add speculative cache layers, global flush buttons, unbounded fallback to the source, broad
|
|
115
|
+
cache bypasses, or TTL guesses without an explicit source-of-truth and stale-tolerance contract.
|
|
116
|
+
- Do not trade authorization, privacy, money, entitlement, inventory, ordering, or user trust for
|
|
117
|
+
hit rate without explicit product acceptance.
|
|
118
|
+
|
|
119
|
+
<!-- mustflow-section: procedure -->
|
|
120
|
+
## Procedure
|
|
121
|
+
|
|
122
|
+
1. Name the second truth store. State the source of truth, cached value, allowed stale duration, and
|
|
123
|
+
whether the cached value is disposable or can affect security, money, entitlement, inventory, or
|
|
124
|
+
user-visible facts.
|
|
125
|
+
2. Check key truth before speed.
|
|
126
|
+
- The key must include every dimension that changes meaning or visibility: tenant, actor, viewer
|
|
127
|
+
context, login state, membership tier, country, language, locale, A/B test, feature flag, adult
|
|
128
|
+
verification, inventory policy, authorization state, and relevant request headers.
|
|
129
|
+
- A key such as `product:{id}` is unsafe when the response varies by the viewer.
|
|
130
|
+
3. Check query normalization.
|
|
131
|
+
- Sort order-insensitive query parameters, remove defaults, normalize types, define empty value
|
|
132
|
+
handling, and state whether array order is meaningful.
|
|
133
|
+
- Treat raw `JSON.stringify(query)` as suspect until key stability, default handling, and array
|
|
134
|
+
semantics are explicit.
|
|
135
|
+
4. Check key version and schema version.
|
|
136
|
+
- Cache keys or values need a version when response shape, serialization, permission meaning,
|
|
137
|
+
query semantics, or source fields change.
|
|
138
|
+
- During deploy and rollback, old and new code must either read both formats safely, reject old
|
|
139
|
+
values clearly, or use separate versioned keys.
|
|
140
|
+
5. Check TTL as a contract.
|
|
141
|
+
- TTL is not a guess like "five minutes". Tie it to data change rate, stale tolerance, and source
|
|
142
|
+
protection.
|
|
143
|
+
- Add TTL jitter when many keys are filled together so synchronized expiry does not become an
|
|
144
|
+
expiry bomb.
|
|
145
|
+
- Separate soft TTL from hard TTL when stale-while-revalidate or stale serve during source failure
|
|
146
|
+
is allowed.
|
|
147
|
+
6. Check miss collapse and stampede control.
|
|
148
|
+
- A miss path of `get -> source -> set` is incomplete for hot keys.
|
|
149
|
+
- Look for lock, lease, singleflight, request coalescing, bounded regeneration, early refresh,
|
|
150
|
+
prewarm, or another mechanism that stops one expired hot key from sending every caller to the
|
|
151
|
+
source.
|
|
152
|
+
7. Check negative and failure caching.
|
|
153
|
+
- Negative cache can protect the source for expensive misses, but success, `404`, `403`, temporary
|
|
154
|
+
failure, timeout, and unknown outcome need separate TTLs and separate meanings.
|
|
155
|
+
- Do not let a transient outage become a long-lived "not found" or "not allowed" fact.
|
|
156
|
+
8. Check invalidation ordering.
|
|
157
|
+
- Delete-before-commit can resurrect old values when another request refills from the old source
|
|
158
|
+
value before the commit lands.
|
|
159
|
+
- Prefer commit-after-delete, outbox-driven invalidation, version compare, write-through, or a
|
|
160
|
+
local pattern that prevents old values from winning after the durable write.
|
|
161
|
+
9. Check update races.
|
|
162
|
+
- Updating the cache after a write is not automatically safe. A slower older write can overwrite
|
|
163
|
+
a newer value.
|
|
164
|
+
- Use updatedAt, monotonic version, CAS, conditional write, compare-and-set, or cache delete when
|
|
165
|
+
ordering cannot be proven.
|
|
166
|
+
10. Check list, query, and page caches separately from detail caches.
|
|
167
|
+
- List caches are harder than detail caches because latest, popular, tag, author, search, filter,
|
|
168
|
+
and page keys all change when one entity changes.
|
|
169
|
+
- Page-number caches are vulnerable to insertions and deletions. Prefer cursor keys, baseline
|
|
170
|
+
time, snapshot token, or explicit duplicate and gap behavior for feeds and infinite scroll.
|
|
171
|
+
- If tag-based invalidation is missing for compound queries, expect global flush pressure and
|
|
172
|
+
report the operational cost.
|
|
173
|
+
11. Check cache layers.
|
|
174
|
+
- Local in-memory cache splits truth per server. L1, L2, and DB each need TTL, invalidation,
|
|
175
|
+
bypass, and failure behavior.
|
|
176
|
+
- Deleting L2 while L1 survives can leave "sometimes stale" bugs that depend on load-balancer
|
|
177
|
+
routing.
|
|
178
|
+
12. Check cache outage fallback.
|
|
179
|
+
- Redis down plus unbounded DB fallback can kill the source. Fallback needs rate limit, load
|
|
180
|
+
shedding, stale serve, circuit breaker, bulkhead, or another source-protection mechanism.
|
|
181
|
+
- Decide whether cache failure is disposable or correctness-sensitive. Sessions, permissions,
|
|
182
|
+
rate limits, inventory, idempotency, and dedupe caches are not ordinary performance caches.
|
|
183
|
+
13. Check Redis keyspace and memory behavior.
|
|
184
|
+
- Review value size, key size, key schema, bounded key cardinality, max memory, eviction policy,
|
|
185
|
+
expired keys, evicted keys, and whether TTL-less keys are turning cache into state storage.
|
|
186
|
+
- `noeviction` makes writes fail at memory limit. `volatile-*` policies only evict keys with TTL,
|
|
187
|
+
so TTL-less keys can crowd out real cache behavior.
|
|
188
|
+
- `KEYS *` in application code is a production bomb. Use `SCAN` only from bounded admin or
|
|
189
|
+
maintenance paths with explicit limits.
|
|
190
|
+
14. Check hot keys and Redis Cluster distribution.
|
|
191
|
+
- Sharding does not save one hot key. Use replicas, local L1, request coalescing, prewarm,
|
|
192
|
+
chunking, or workload-specific splitting where semantics allow it.
|
|
193
|
+
- Redis Cluster hash tags are useful for intentional multi-key locality, but overusing the same
|
|
194
|
+
tag can force too many keys into one slot.
|
|
195
|
+
15. Check HTTP cache semantics.
|
|
196
|
+
- If responses vary by `Authorization`, `Cookie`, `Accept-Language`, `Accept-Encoding`, content
|
|
197
|
+
negotiation, or user context, verify `Vary` and cache-control behavior.
|
|
198
|
+
- `no-cache` means revalidate before reuse. `no-store` means do not store. Do not use one when
|
|
199
|
+
the other is required.
|
|
200
|
+
- Check freshness, validation, private versus public cacheability, CDN behavior, browser behavior,
|
|
201
|
+
and generated-client or proxy expectations.
|
|
202
|
+
16. Check permission and entitlement caches as security boundaries.
|
|
203
|
+
- A permission cache, role cache, organization-membership cache, subscription cache, admin cache,
|
|
204
|
+
or entitlement cache must be invalidated by revocation, role change, organization move,
|
|
205
|
+
subscription expiry, ownership change, and emergency access changes.
|
|
206
|
+
- Short TTL alone is not enough for decisions that should fail closed or revoke promptly.
|
|
207
|
+
17. Check cache warming and cold-start behavior.
|
|
208
|
+
- Deployment, autoscale, failover, and rollback can create synchronized cold caches that push
|
|
209
|
+
traffic to the source.
|
|
210
|
+
- Prewarm only keys with clear ownership and backpressure. Do not build an unbounded warming job
|
|
211
|
+
that becomes the outage.
|
|
212
|
+
18. Check observability.
|
|
213
|
+
- Hit rate alone lies. Break down hits, misses, stale serves, negative hits, refresh failures,
|
|
214
|
+
evictions, expirations, and set failures by endpoint, key-pattern, tenant, status-code, and
|
|
215
|
+
cache layer where useful.
|
|
216
|
+
- Log or measure miss cost: source query time, source call count, value size, generation time,
|
|
217
|
+
and set success.
|
|
218
|
+
- Keep cache metrics labels bounded; put high-cardinality keys in logs or traces only when the
|
|
219
|
+
repository privacy rules allow it.
|
|
220
|
+
19. Check tests beyond the happy path.
|
|
221
|
+
- "Second call is faster" is not enough.
|
|
222
|
+
- Cover concurrent misses, update during read, delete then recreate, source failure, Redis
|
|
223
|
+
failure, synchronized TTL expiry, old-version cached value, permission change, tenant
|
|
224
|
+
separation, list invalidation, negative-cache classification, deploy rollback, and cache-layer
|
|
225
|
+
bypass when those risks exist.
|
|
226
|
+
20. Label evidence honestly. If the repository lacks deterministic cache, Redis, CDN, HTTP, browser,
|
|
227
|
+
or load tests, report the missing evidence instead of claiming the cache is safe.
|
|
228
|
+
|
|
229
|
+
<!-- mustflow-section: postconditions -->
|
|
230
|
+
## Postconditions
|
|
231
|
+
|
|
232
|
+
- Cache source of truth, value shape, key dimensions, stale tolerance, TTL, invalidation, fallback,
|
|
233
|
+
and observability are explicit or reported as missing.
|
|
234
|
+
- Tenant, viewer, permission, entitlement, feature-flag, locale, query, schema-version, and header
|
|
235
|
+
variance cannot silently share the wrong value.
|
|
236
|
+
- Stampede, synchronized expiry, negative cache, invalidation ordering, update race, list cache,
|
|
237
|
+
page cache, tag invalidation, L1/L2 layering, Redis outage, hot key, Redis Cluster, and HTTP cache
|
|
238
|
+
semantics are fixed or reported where relevant.
|
|
239
|
+
- Permission and entitlement caches fail closed or invalidate promptly where stale values are unsafe.
|
|
240
|
+
- Cache claims are backed by configured evidence or labeled as static review risk, manual-only, or
|
|
241
|
+
missing evidence.
|
|
242
|
+
|
|
243
|
+
<!-- mustflow-section: verification -->
|
|
244
|
+
## Verification
|
|
245
|
+
|
|
246
|
+
Use configured oneshot command intents when available:
|
|
247
|
+
|
|
248
|
+
- `changes_status`
|
|
249
|
+
- `changes_diff_summary`
|
|
250
|
+
- `lint`
|
|
251
|
+
- `build`
|
|
252
|
+
- `test_related`
|
|
253
|
+
- `test`
|
|
254
|
+
- `docs_validate_fast`
|
|
255
|
+
- `test_release`
|
|
256
|
+
- `mustflow_check`
|
|
257
|
+
|
|
258
|
+
Prefer the narrowest configured test, build, docs, release, or mustflow intent that covers the changed
|
|
259
|
+
cache key, stale-data, invalidation, fallback, or observability contract. Do not infer raw Redis, CDN,
|
|
260
|
+
browser, server, benchmark, or load-test commands outside the command contract.
|
|
261
|
+
|
|
262
|
+
<!-- mustflow-section: failure-handling -->
|
|
263
|
+
## Failure Handling
|
|
264
|
+
|
|
265
|
+
- If verification fails, preserve the failing intent, failing assertion or output tail, and the cache
|
|
266
|
+
contract it exercised before editing again.
|
|
267
|
+
- If key dimensions, source-of-truth ownership, stale tolerance, invalidation trigger, or permission
|
|
268
|
+
revocation behavior are unknown, report the missing decision instead of adding a cache or guessing a
|
|
269
|
+
TTL.
|
|
270
|
+
- If safe cache behavior requires a tag index, outbox, versioned read model, CAS support, circuit
|
|
271
|
+
breaker, bounded fallback, or operational Redis/CDN evidence outside the current scope, report the
|
|
272
|
+
missing boundary and keep local changes narrow.
|
|
273
|
+
- If deterministic cache proof requires live Redis, CDN, browser, load-test, or production telemetry
|
|
274
|
+
not configured in `.mustflow/config/commands.toml`, complete available local verification and report
|
|
275
|
+
the manual evidence gap.
|
|
276
|
+
|
|
277
|
+
<!-- mustflow-section: output-format -->
|
|
278
|
+
## Output Format
|
|
279
|
+
|
|
280
|
+
- Cache surface reviewed
|
|
281
|
+
- Source of truth, cached value, key dimensions, stale tolerance, TTL, invalidation, and fallback
|
|
282
|
+
decisions
|
|
283
|
+
- Key normalization, key version, query normalization, viewer context, tenant and permission boundary
|
|
284
|
+
checks
|
|
285
|
+
- Stampede, negative-cache, invalidation-order, update-race, list/page/tag, L1/L2, Redis, hot-key,
|
|
286
|
+
HTTP cache, permission-cache, warming, and observability checks where relevant
|
|
287
|
+
- Cache-integrity fixes made or recommended
|
|
288
|
+
- Evidence level: configured-test evidence, static review risk, manual-only, missing, or not applicable
|
|
289
|
+
- Command intents run
|
|
290
|
+
- Skipped cache diagnostics and reasons
|
|
291
|
+
- Remaining cache-integrity risk
|
|
@@ -0,0 +1,297 @@
|
|
|
1
|
+
---
|
|
2
|
+
mustflow_doc: skill.change-blast-radius-review
|
|
3
|
+
locale: en
|
|
4
|
+
canonical: true
|
|
5
|
+
revision: 1
|
|
6
|
+
lifecycle: mustflow-owned
|
|
7
|
+
authority: procedure
|
|
8
|
+
name: change-blast-radius-review
|
|
9
|
+
description: Apply this skill when code is created, changed, reviewed, or reported and maintainability needs review by predicting the next-change blast radius, deletion path, policy owner, workflow owner, controller or service responsibility, boolean and option-mode sprawl, scattered domain rules, scattered authorization, state-transition ownership, direct time or randomness, transaction and external-call coupling, retry idempotency, cache-as-truth decisions, config flag combinations, tenant or partner hardcoding, legacy branch isolation, DTO/entity/view model mixing, nullable meaning, swallowed exceptions, low-context logs, implementation-coupled tests, mock-heavy tests, decorative abstraction, premature DRY, hidden ordering dependency, event contract visibility, migration/runtime compatibility, or feature removal boundary.
|
|
10
|
+
metadata:
|
|
11
|
+
mustflow_schema: "1"
|
|
12
|
+
mustflow_kind: procedure
|
|
13
|
+
pack_id: mustflow.core
|
|
14
|
+
skill_id: mustflow.core.change-blast-radius-review
|
|
15
|
+
command_intents:
|
|
16
|
+
- changes_status
|
|
17
|
+
- changes_diff_summary
|
|
18
|
+
- lint
|
|
19
|
+
- build
|
|
20
|
+
- test_related
|
|
21
|
+
- test
|
|
22
|
+
- test_audit
|
|
23
|
+
- docs_validate_fast
|
|
24
|
+
- test_release
|
|
25
|
+
- mustflow_check
|
|
26
|
+
---
|
|
27
|
+
|
|
28
|
+
# Change Blast Radius Review
|
|
29
|
+
|
|
30
|
+
<!-- mustflow-section: purpose -->
|
|
31
|
+
## Purpose
|
|
32
|
+
|
|
33
|
+
Review maintainability by predicting where the next change, failure, retry, migration, or deletion
|
|
34
|
+
will spread.
|
|
35
|
+
|
|
36
|
+
The review question is not "is this code clean?" It is "if the policy changes, where do I edit;
|
|
37
|
+
if the flow fails halfway, what state remains; if the event runs twice, is it safe; and if the
|
|
38
|
+
feature is removed, what can I delete?"
|
|
39
|
+
|
|
40
|
+
<!-- mustflow-section: use-when -->
|
|
41
|
+
## Use When
|
|
42
|
+
|
|
43
|
+
- Code review, implementation, or refactor work touches domain policies, controllers, services,
|
|
44
|
+
use cases, workflows, DTOs, entities, view models, authorization, state transitions, persistence,
|
|
45
|
+
transactions, external APIs, retries, caches, config flags, tenant branches, migrations, events,
|
|
46
|
+
logging, tests, abstractions, helpers, or legacy compatibility.
|
|
47
|
+
- A single requirement would force edits across several files, layers, modules, frontend code, SQL,
|
|
48
|
+
jobs, events, cache keys, tests, or docs.
|
|
49
|
+
- A file or service has several unrelated reasons to change under one broad noun such as `Manager`,
|
|
50
|
+
`Helper`, `Processor`, `Handler`, or `Service`.
|
|
51
|
+
- A review needs to decide whether to use `module-boundary-review`, `structure-first-engineering`,
|
|
52
|
+
`testability-boundary-review`, `failure-integrity-review`, `cache-integrity-review`,
|
|
53
|
+
`auth-permission-change`, `state-machine-pattern`, `strategy-pattern`, `result-option`, or
|
|
54
|
+
`database-migration-change`.
|
|
55
|
+
|
|
56
|
+
<!-- mustflow-section: do-not-use-when -->
|
|
57
|
+
## Do Not Use When
|
|
58
|
+
|
|
59
|
+
- The only concern is module ownership, import direction, DTO leakage, or co-change evidence; use
|
|
60
|
+
`module-boundary-review` as the primary skill.
|
|
61
|
+
- The task is early implementation structure for a known feature; use `structure-first-engineering`
|
|
62
|
+
first and this skill only for predicted change-spread evidence.
|
|
63
|
+
- The main issue is deterministic tests or hidden test inputs; use `testability-boundary-review`.
|
|
64
|
+
- The main issue is a specific failure path, cache invariant, authorization boundary, migration,
|
|
65
|
+
state machine, strategy, result type, or dependency-injection seam; use the narrower skill first.
|
|
66
|
+
- The change is a tiny pure helper with explicit inputs, deterministic output, no policy, no I/O,
|
|
67
|
+
no shared state, and no meaningful future-change branch.
|
|
68
|
+
|
|
69
|
+
<!-- mustflow-section: required-inputs -->
|
|
70
|
+
## Required Inputs
|
|
71
|
+
|
|
72
|
+
- User goal, current diff or target files, and the requirement or policy that caused the change.
|
|
73
|
+
- Change-reason ledger: which business rule, user flow, data shape, failure path, compatibility
|
|
74
|
+
rule, tenant exception, or operational behavior would make this code change next.
|
|
75
|
+
- Blast-radius ledger: controllers, services, repositories, entities, DTOs, frontend conditions,
|
|
76
|
+
SQL, migrations, batches, events, caches, config, tests, docs, and templates touched by one reason.
|
|
77
|
+
- Ownership ledger: source of truth for domain rule, authorization rule, state transition, retry
|
|
78
|
+
rule, transaction boundary, cache truth, event contract, log context, and data model language.
|
|
79
|
+
- Deleteability ledger: what files, flags, columns, event handlers, cache keys, tests, and branches
|
|
80
|
+
would need removal if the feature or policy disappears.
|
|
81
|
+
- Test and operations evidence: mocks, call-order assertions, logs, trace IDs, retry/idempotency
|
|
82
|
+
behavior, migration compatibility, and configured command intents.
|
|
83
|
+
|
|
84
|
+
<!-- mustflow-section: preconditions -->
|
|
85
|
+
## Preconditions
|
|
86
|
+
|
|
87
|
+
- The task matches the Use When conditions and does not match the Do Not Use When exclusions.
|
|
88
|
+
- Higher-priority instructions and `.mustflow/config/commands.toml` have been checked for the
|
|
89
|
+
current scope.
|
|
90
|
+
- Required inputs are available, or missing blast-radius, ownership, deleteability, or operational
|
|
91
|
+
evidence can be reported without guessing.
|
|
92
|
+
- If the review finds a concrete module, failure, cache, authorization, migration, state-machine,
|
|
93
|
+
testability, or pattern issue, use the narrower skill before editing that part.
|
|
94
|
+
|
|
95
|
+
<!-- mustflow-section: allowed-edits -->
|
|
96
|
+
## Allowed Edits
|
|
97
|
+
|
|
98
|
+
- Move or name ownership for domain policy, authorization, state transitions, workflow sequencing,
|
|
99
|
+
retry/idempotency, transaction boundaries, DTO mapping, cache truth, config interpretation, event
|
|
100
|
+
contracts, logs, migrations, and tests directly tied to the reviewed change-spread risk.
|
|
101
|
+
- Split responsibilities only when the split follows different reasons to change, not because a
|
|
102
|
+
file is long or the names look untidy.
|
|
103
|
+
- Replace boolean mode flags, trash-can option objects, tenant hardcoding, legacy branches, and
|
|
104
|
+
premature shared helpers with explicit concepts, named policies, adapters, or duplicated code
|
|
105
|
+
when that reduces future change spread.
|
|
106
|
+
- Add focused tests that prove a policy owner, state transition, idempotent retry, deletion boundary,
|
|
107
|
+
migration compatibility, or stable observable outcome.
|
|
108
|
+
- Do not add decorative interfaces, broad service layers, generic managers, speculative factories,
|
|
109
|
+
or shared helpers that hide rather than reduce the next-change blast radius.
|
|
110
|
+
|
|
111
|
+
<!-- mustflow-section: procedure -->
|
|
112
|
+
## Procedure
|
|
113
|
+
|
|
114
|
+
1. Start with the next likely change.
|
|
115
|
+
- Ask: "If this requirement changes next month, which files move?"
|
|
116
|
+
- If one policy edit needs controller, service, repository, SQL, frontend, batch, cache, and test
|
|
117
|
+
edits, the code is a puzzle, not a boundary.
|
|
118
|
+
2. Count reasons to change, not lines.
|
|
119
|
+
- A short file can still hold signup, login, points, notification, referral, admin blocking, and
|
|
120
|
+
reporting rules.
|
|
121
|
+
- Split by different change reasons, not by noun labels.
|
|
122
|
+
3. Keep controllers as doors, not bosses.
|
|
123
|
+
- Controllers should parse requests, call an application boundary, and map the result.
|
|
124
|
+
- Treat controller `if`, `for`, state mutation, external API calls, discount logic, inventory
|
|
125
|
+
checks, or notification orchestration as workflow leakage.
|
|
126
|
+
4. Reject junk-drawer services.
|
|
127
|
+
- Broad names such as `OrderService`, `UserService`, `Manager`, `Helper`, `Processor`, and
|
|
128
|
+
`Handler` often hide unrelated workflows.
|
|
129
|
+
- Name the actual responsibility or split by workflow owner when changes would not arrive
|
|
130
|
+
together.
|
|
131
|
+
5. Decode boolean mode flags.
|
|
132
|
+
- `createUser(user, true)` and `sendNotification(user, true, false)` mean one function already
|
|
133
|
+
has hidden modes.
|
|
134
|
+
- Replace modes with named variants, policy objects, strategy objects, or separate functions when
|
|
135
|
+
behavior contracts differ.
|
|
136
|
+
6. Inspect option objects for combinatorial behavior.
|
|
137
|
+
- Fields such as `skipValidation`, `dryRun`, `force`, `source`, `mode`, `type`, `retry`,
|
|
138
|
+
`legacy`, and `includeInactive` can turn one call into many products.
|
|
139
|
+
- If field combinations change behavior, use explicit mode types or separate boundaries.
|
|
140
|
+
7. Find the policy source of truth.
|
|
141
|
+
- Repeated rules such as "VIP gets free shipping" across backend, frontend, SQL, batch, and
|
|
142
|
+
cache code are not harmless duplication.
|
|
143
|
+
- Name one owner and make other layers consume facts or capabilities from that owner.
|
|
144
|
+
8. Centralize authorization policy.
|
|
145
|
+
- Scattered checks such as `role == admin`, `ownerId == user.id`, or membership scans make policy
|
|
146
|
+
changes scary.
|
|
147
|
+
- Use `auth-permission-change` when action permission needs one policy source and denial tests.
|
|
148
|
+
9. Make state transitions visible.
|
|
149
|
+
- Status values are not enough. Review where `status = ...` happens and which transitions are
|
|
150
|
+
legal.
|
|
151
|
+
- Use `state-machine-pattern` when allowed transitions need to be represented explicitly.
|
|
152
|
+
10. Pull time, randomness, and generated IDs to a boundary.
|
|
153
|
+
- Direct `new Date()`, `Date.now()`, `LocalDateTime.now()`, UUIDs, random order numbers, random
|
|
154
|
+
filenames, and generated referral codes hide reproducibility and future policy changes.
|
|
155
|
+
- Use explicit time, generator, or identifier inputs from the shell.
|
|
156
|
+
11. Draw the transaction boundary.
|
|
157
|
+
- When several saves happen, ask what remains if the middle save fails.
|
|
158
|
+
- If the answer is unclear, use `failure-integrity-review` or the relevant database skill before
|
|
159
|
+
changing behavior.
|
|
160
|
+
12. Separate external calls from committed state.
|
|
161
|
+
- DB save, payment API, DB save, notification API in one flow creates timeout, retry, and
|
|
162
|
+
duplicate-effect traps.
|
|
163
|
+
- Prefer local state plus outbox, idempotency keys, or effect descriptions when the operation
|
|
164
|
+
must survive partial failure.
|
|
165
|
+
13. Check retry idempotency.
|
|
166
|
+
- `retry(3)`, queues, webhooks, schedulers, and manual replays are dangerous without a duplicate
|
|
167
|
+
rule.
|
|
168
|
+
- Ask what happens when the same event arrives twice.
|
|
169
|
+
14. Reject cache-as-truth for important decisions.
|
|
170
|
+
- Cache can speed reads, but it should not become the source of truth for authorization, payment
|
|
171
|
+
eligibility, inventory, or other critical decisions.
|
|
172
|
+
- Use `cache-integrity-review` when cache freshness or fallback can mislead the decision.
|
|
173
|
+
15. Count config flag combinations.
|
|
174
|
+
- Flags such as `enableNewPolicy`, `useLegacyFlow`, `skipValidationForPartner`, and
|
|
175
|
+
`specialCaseTenantIds` can create untested products inside one code path.
|
|
176
|
+
- Name the supported combinations or isolate the variation behind a policy boundary.
|
|
177
|
+
16. Isolate tenant, partner, country, product, and app-version exceptions.
|
|
178
|
+
- Hardcoded `tenantId`, `partnerCode`, country code, app version, or product ID branches are
|
|
179
|
+
product debt, not just conditionals.
|
|
180
|
+
- Prefer configured capabilities, adapters, policy tables, or explicit exceptions with removal
|
|
181
|
+
owners.
|
|
182
|
+
17. Keep legacy compatibility out of the new core.
|
|
183
|
+
- `legacy`, `old`, `v1`, `deprecated`, and `temp` branches inside the main path pull old rules
|
|
184
|
+
into new code.
|
|
185
|
+
- Put compatibility in adapters, translators, migration paths, or isolated old-entry boundaries.
|
|
186
|
+
18. Separate data-object languages.
|
|
187
|
+
- DB entities, API DTOs, view models, external provider payloads, and domain objects should not
|
|
188
|
+
quietly become the same object.
|
|
189
|
+
- If one side changes and another side must follow, name the mapping owner.
|
|
190
|
+
19. Give nullable values a reason.
|
|
191
|
+
- `null` must not mean absence, unknown, failed calculation, forbidden access, and provider
|
|
192
|
+
timeout at the same time.
|
|
193
|
+
- Use variants, result types, or explicit fields that tell callers why a value is missing.
|
|
194
|
+
20. Do not hide exceptions as normal data.
|
|
195
|
+
- `catch (e) { return null }`, `catch (e) { log.warn(...) }`, and empty catches make the system
|
|
196
|
+
lie far from the failure.
|
|
197
|
+
- Use visible failure values, typed errors, or explicit degraded modes.
|
|
198
|
+
21. Make logs traceable, not decorative.
|
|
199
|
+
- Logs like `start` and `failed` without order ID, user ID, request ID, external call ID, tenant,
|
|
200
|
+
or operation name do not help future maintainers.
|
|
201
|
+
- Add safe correlation context when it is the only way to connect the failure path.
|
|
202
|
+
22. Keep tests attached to behavior.
|
|
203
|
+
- Tests that assert private methods, mock call order, or internal collaborator choreography make
|
|
204
|
+
refactors expensive.
|
|
205
|
+
- Prefer outcomes, state transitions, persisted commands, emitted events, or public results.
|
|
206
|
+
23. Treat mock count as a change-impact sensor.
|
|
207
|
+
- More than three mocks deserves a responsibility review.
|
|
208
|
+
- Five or more mocks usually means the class absorbs too many change directions.
|
|
209
|
+
24. Validate abstraction against real volatility.
|
|
210
|
+
- Interfaces, factories, strategies, and abstract classes help only when the variation axis is
|
|
211
|
+
real.
|
|
212
|
+
- Ask whether there are two real implementations now or a known future swap along this exact
|
|
213
|
+
axis.
|
|
214
|
+
25. Do not DRY together different futures.
|
|
215
|
+
- Removing duplication is harmful when two similar blocks change for different reasons.
|
|
216
|
+
- Keep duplication when it preserves independent policy evolution.
|
|
217
|
+
26. Make required ordering explicit.
|
|
218
|
+
- Initialization, validation, save, event publication, cache invalidation, notification, and
|
|
219
|
+
cleanup steps can be order-sensitive.
|
|
220
|
+
- If swapping two lines would break correctness, encode the sequence in a named workflow,
|
|
221
|
+
transaction, state transition, or command object.
|
|
222
|
+
27. Treat events as invisible function calls until proven otherwise.
|
|
223
|
+
- `publish(Event)` hides subscribers, failure behavior, ordering, duplicate delivery, and
|
|
224
|
+
compatibility.
|
|
225
|
+
- Name the event contract, listener expectations, idempotency, and failure handling.
|
|
226
|
+
28. Pair migrations with runtime compatibility.
|
|
227
|
+
- Schema changes, enum additions, defaults, indexes, and backfills must be checked against old
|
|
228
|
+
code on new schema and new code on old data.
|
|
229
|
+
- Use `database-migration-change` when deploy order or data backfill matters.
|
|
230
|
+
29. Run the deletion test.
|
|
231
|
+
- Ask: "If this feature disappears, what do I delete?"
|
|
232
|
+
- If flags, columns, conditions, events, caches, batch jobs, UI checks, and tests are scattered,
|
|
233
|
+
the feature is already rooted too deeply.
|
|
234
|
+
30. Pick the smallest boundary repair.
|
|
235
|
+
- If one owner is missing, introduce that owner.
|
|
236
|
+
- If one mode is hidden, name that mode.
|
|
237
|
+
- If the risk is too broad for the current task, report the exact next-change or deletion path
|
|
238
|
+
that remains unpredictable.
|
|
239
|
+
|
|
240
|
+
<!-- mustflow-section: postconditions -->
|
|
241
|
+
## Postconditions
|
|
242
|
+
|
|
243
|
+
- The next likely policy or workflow change has a named owner and a predictable edit path, or the
|
|
244
|
+
unpredictable spread is explicitly reported.
|
|
245
|
+
- Important side effects, transactions, retries, events, caches, config flags, migrations, and logs
|
|
246
|
+
have clear owners or remaining risks.
|
|
247
|
+
- Boolean modes, option-object combinations, tenant exceptions, legacy compatibility, and premature
|
|
248
|
+
shared helpers are either tightened or named as future-change traps.
|
|
249
|
+
- Tests and observability focus on outcomes, state, events, idempotency, and public behavior rather
|
|
250
|
+
than private choreography.
|
|
251
|
+
- The deletion path for the changed feature or policy is clearer, or the remaining deletion debt is
|
|
252
|
+
named.
|
|
253
|
+
|
|
254
|
+
<!-- mustflow-section: verification -->
|
|
255
|
+
## Verification
|
|
256
|
+
|
|
257
|
+
Use configured oneshot command intents when available:
|
|
258
|
+
|
|
259
|
+
- `changes_status`
|
|
260
|
+
- `changes_diff_summary`
|
|
261
|
+
- `lint`
|
|
262
|
+
- `build`
|
|
263
|
+
- `test_related`
|
|
264
|
+
- `test`
|
|
265
|
+
- `test_audit`
|
|
266
|
+
- `docs_validate_fast`
|
|
267
|
+
- `test_release`
|
|
268
|
+
- `mustflow_check`
|
|
269
|
+
|
|
270
|
+
Prefer the narrowest checks that cover the changed owner, behavior, tests, template surface, or
|
|
271
|
+
public contract.
|
|
272
|
+
|
|
273
|
+
<!-- mustflow-section: failure-handling -->
|
|
274
|
+
## Failure Handling
|
|
275
|
+
|
|
276
|
+
- If the blast radius cannot be predicted from current evidence, report the missing owner, hidden
|
|
277
|
+
dependency, unknown subscriber, migration uncertainty, or deletion path instead of inventing a
|
|
278
|
+
clean boundary.
|
|
279
|
+
- If the review discovers security, cache, failure, migration, testability, or state-machine risk,
|
|
280
|
+
switch to the narrower skill before editing that part.
|
|
281
|
+
- If a boundary repair would change behavior, use `behavior-preserving-refactor` or
|
|
282
|
+
`repro-first-debug` before continuing.
|
|
283
|
+
- If a command fails, use `failure-triage` before further edits.
|
|
284
|
+
|
|
285
|
+
<!-- mustflow-section: output-format -->
|
|
286
|
+
## Output Format
|
|
287
|
+
|
|
288
|
+
- Change blast radius reviewed
|
|
289
|
+
- Next likely change and owner
|
|
290
|
+
- Files, layers, jobs, caches, events, tests, docs, or migrations in the blast radius
|
|
291
|
+
- Policy, authorization, state, transaction, retry, cache, config, tenant, legacy, DTO, nullable,
|
|
292
|
+
log, test, abstraction, ordering, event, migration, or deletion findings
|
|
293
|
+
- Fixes made or recommendation
|
|
294
|
+
- Tests or behavior evidence
|
|
295
|
+
- Command intents run
|
|
296
|
+
- Skipped checks and reasons
|
|
297
|
+
- Remaining change-spread or deletion risk
|